From Compliance to Culture: A Paradigm Shift in the Information and Cybersecurity Mindset

Compliance: A Necessity, But Not the Main Driver

Compliance frameworks are like guardrails on a winding road – they’re essential, but they won’t drive the car for you. They provide a baseline for safety, pointing out where the lines are, but true resilience and progress require more:

Drivers need the skills and possibly the proof (license) to actually stay within them.

Many organizations approach security as a checklist exercise, striving to measure and document compliance with frameworks and regulations like GDPR or ISO 27001. While compliance to these frameworks is crucial for accountability and trust, they often overshadow what truly matters:

Fostering a culture of security that aligns with the organization’s goals and empowers its people.

The reality? Compliance might prevent penalties, but it doesn’t guarantee resilience. True security demands a shift in mindset:

From focusing on external requirements, to embedding security as a core element of the organization’s culture and business quality.

Just think about it: Do you think your CEO gives a hoot about compliance when you actually need to resist a cyberattack, but don’t know where to start? Or when the media, or worse, your competition, gets hold of your most confidential future plans, and nobody is able to see how it happened?

Heisenberg’s Paradox in Information Security

Focusing on compliance offers a challenge that parallels the uncertainty principle[1], also known as Heisenberg’s indeterminacy principle, introduced in quantum mechanics. The principle explains that we cannot simultaneously measure two complementary properties of a system – such as position and momentum – with absolute precision. The more accurately you measure one property, the less precise the measurement of the other becomes.

In the context of information security, this principle offers an insightful analogy. By focusing intensely on measuring and documenting compliance (a static attribute of security), organizations lose clarity on the more dynamic and contextual aspects of security:

• How well users adopt measures.
• How effectively these measures improve resilience and protect against existing and evolving threats.

This creates a paradox:

• The harder we try to document and measure security compliance with detailed precision, the more we risk losing sight of achieving the actual secure processing of information.
• Instead of acting as a means to an end, compliance often becomes a standalone goal, disconnected from its real purpose of supporting organizational success.

When organizations pour resources into proving compliance, they often fail to anticipate future risks. These blind spots leave them vulnerable to emerging threats, as their efforts focus on past performance rather than adaptive resilience.

Measuring and documenting security is important, but it shouldn’t come at the expense of actually being secure.

The Problem with Siloed Security

Many organizations confine security to the IT or Security department or the CISO office, disconnected from broader business strategy. This siloed approach leads to three critical issues:

• Box-Ticking Over Business Alignment: Security initiatives focus on satisfying audits rather than addressing real risks.
• Resistance from the Workforce: Employees view security as a burden imposed by “the department of no” rather than as an enabler.
• False Sense of Security: A completed checklist doesn’t guarantee protection against dynamic threats.

From my experience, these pitfalls create Kafkaesque scenarios where following security processes almost becomes a religion, yet they fail to make organizations truly secure. A paradox.

A Human-Centric Shift: Building Security Around People

To break free from this reactive cycle, we need a new approach: human-centric information security. Rather than starting with frameworks or technology, we begin with people.

For example, consider the purchasing of a new application. In earlier days, security requirements were discussed after the purchasing process. Today, organizations often include enormous lists of security requirements upfront in their purchasing processes. At first glance, this seems like progress. However, these lists are often context-blind monsters:

One-size-fits-all solutions that create a false sense of security without addressing the organization’s unique needs.

The key is not only engaging information owners early but also actively involving them and empowering them to steer on the processing of their information, both now and in the future. These stakeholders provide the necessary input on confidentiality, integrity, and availability requirements specific to their work. They play a crucial role in translating information security policies into their departmental processes, procedures, and work instructions.

By actively involving information owners in defining and documenting security needs, organizations can tailor measures to context rather than defaulting to generic compliance checklists. Without their guidance, organizations risk implementing generic measures that fail to address real challenges, resulting in a hollow sense of compliance.

The Power of Information Streams

A critical piece of this puzzle is mapping information streams: the paths information takes as it flows through the organization. By understanding these streams, we can pinpoint ownership and secure critical assets without overburdening other areas.

Imagine a recruitment process for a new Sales employee:

• Sales defines the candidate profile
• HR manages standard company requirements
• Finance sets salary ranges

Each department handles distinct information types with different security needs.

Treating information security uniformly throughout the entire process often results in Kafkaesque situations.

Example

At some point in the recruitment process, Personally Identifiable Information (PII) from potential candidates becomes part of the workflow. Departments that process PII during the recruitment process must adhere to privacy legislation, requiring additional security measures.

I’ve experienced situations where the mere presence of PII in one part of the process meant that all involved departments had to implement these additional security measures in their workflow. This even included departments that never interacted with the PII because it isn’t necessary for fulfilling their task for the process. Like the Finance department, which only sets the salary bandwidth for the recruitment process).

This approach wastes valuable security resources, makes workflows unnecessarily complex, and creates inefficiencies. But more important: this can ultimately weaken the overall security of the organization.

Instead, focusing on the information streams within the process – and understanding each involved department’s information processing needs – ensures the effective and efficient tailoring of security measures.

Security as Quality: Embedding It in Your Processes

The most successful organizations integrate security into their quality management systems. They don’t treat security as an afterthought, or goal in itself, but as a cornerstone of excellence.

Framing security as a contributor to quality shifts it from being a burden, to becoming a business enabler. For instance:

• Embedding security requirements during the design phase of a product ensures alignment with business goals from the outset and enables you to steer changes effectively throughout its lifecycle.
• Mapping information streams ensures the involvement of the right stakeholders, avoiding IT-dominated perspectives and allows the people most knowledgeable to set the needs for secure information processing regarding their workflows.

This approach not only protects the organization but also enhances the end product, improving trust and usability.

Conclusion

Compliance might be mandatory, but culture is what makes security sustainable. It’s time for organizations to:

1. Engage the Right People: Identify key stakeholders and involve them in defining security needs.
2. Map Information Streams: Understand how information flows through the organization to secure critical points.
3. Integrate Security into Quality: Treat security as a driver of business excellence, embedding it into processes to add value at every step.

Heisenberg’s principle reminds us: don’t let measurement overshadow the goal. By prioritizing the dynamic aspects of security (beyond measuring and documenting compliance) organizations realize a security culture that adapts and thrives.

Building a culture of security fosters proactive behaviors, ensuring the preparation of teams to quickly adapt as threats evolve. By shifting from compliance to culture, you’re not just building a safer organization: you’re building a smarter, more resilient one. Let’s make security the foundation that empowers innovation and success.

[1] Uncertainty principle – Wikipedia